Will Your Bottom Line be Damaged by Data Privacy Violations?
ARE YOU AT RISK? PREDICTIONS FOR 2021: PART 3
Financial risk from data privacy violations are not just an enterprise-level problem. Are you exposed? Will your cyber insurance protect you?
WHY THIS MATTERS
Data privacy law compliance is more difficult than ever before. If you violate the laws, intentionally or unintentionally, regulators may levy fines against you, or you may become embroiled in a private right of action by one or more data breach victims.
Since the US does not have a central federal privacy law, like the European Union’s General Data Privacy Regulation (GDPR), businesses must track evolving state laws to keep abreast of what has passed and what is pending. This is a challenging, costly task for businesses of all types and sizes.
Recent support for ballot measures in California, Michigan, and Massachusetts indicate a trend in consumer data privacy protection in the United States.
In our PREDICTIONS 2021: PART TWO, we discussed, ballot Proposition 24, the California Privacy Rights Act (CPRA), effective January 1, 2023, which will amend the California Consumer Privacy Act (CCPA) and create the new California Privacy Protection Agency (CCPA) to authorize fines.
Here, is a sample of recent US Data Privacy Laws.
Evolving US Data Privacy Laws
The US has various data privacy laws, some old, some new, and some pending. How do businesses keep track of privacy compliance requirements that lack uniformity? Lawyers, academics, privacy officers, privacy associations, and data mapping service providers are doing the heavy lifting to keep the market as up-to-date as possible.
Varonis provides an overview of the US privacy law landscape and The Essential Guide to US Data Protection Compliance and Regulations.
The IAPP publishes excellent charts comparing the evolving state privacy legislation across the US.
In November 2020, in addition to California, ballot initiatives were supported in Michigan and Massachusetts.
The Proposal 2 amendment to the state constitution comes in the wake of unease toward law enforcement's use of electronic data, providing:
- Searches and Seizures -- The person, houses, papers, possessions, and electronic data and electronic communications of every person shall be secure from unreasonable searches and seizures.
- No warrant to search any place or to seize any person or things or access electronic data or electronic communications shall issue without describing them, nor without probable cause, supported by oath or affirmation.
- This section's provisions shall not be construed to bar from evidence in any criminal proceeding any narcotic drug, firearm, bomb, explosive, or any other dangerous weapon seized by a peace officer outside the curtilage of any dwelling house in this state.
- Norton Rose Fulbright refers to the US Supreme Court ruling that the Fourth Amendment requires the police to obtain a warrant to access a suspect's cell phone (Riley v California, in 2014) or access to cell phone tracking data (Carpenter v. United States, in 2018).
- The changes to the Michigan constitution extend to "electronic data and electronic communications"— beyond what the US Supreme Court had addressed.
Under this ballot initiative for a "right to repair" law, commencing with the model year 2022:
- Any manufacturer of motor vehicles equipped with telematics systems that are sold in Massachusetts must equip the vehicles with an "interoperable, standardized and open-access platform across all of the manufacturer's makes and models."
- The data must be directly accessible by the motor vehicle owner and, with the owner's authorization, by independent repair facilities or class 1 dealers, for the time needed to repair the vehicle or for "maintaining, diagnosing and repairing" the vehicle.
- The Attorney General is required to create an explanatory notice for prospective motor vehicle owners, which the individuals will be required to sign.
- Owners and authorized independent repair shops denied access to the data might bring a private right of action.
- Penalties for each denial of access are the greater of treble damages or $10,000.
In the past few years, US states produced unprecedented new or updated data protection statutes and regulations.
Here are a few examples of recent or pending privacy laws (more to come in future articles).
New York state's SHIELD Act, effective March 21, 2020, requires:
- That a covered business collecting private information on New York residents to implement reasonable cybersecurity safeguards to protect that information.
- Establish a written information security program (WISP) like California, Rhode Island, and Massachusetts.
- Implement a data security program, including risk assessments, workforce training, and incident response planning and testing.
- Application to all employers, individuals, or organizations -- regardless of location -- collects private information on New York residents.
- Enforcement actions by the New York Attorney General for alleged violations of the SHIELD Act -- considered deceptive acts or practices.
- Civil penalties of up to $5,000 per violation by a covered business.
New York state's Senate Bill SB9073, proposed in October 2020, established the "It's Your Data Act," which provides for:
- Protections and transparency in the collection, use, retention, and sharing of personal information.
- Like the CCPA, consumers have the right of access, disclosure, and the Attorney General would enforce deletion of their data and the law.
- A CCPA-like private right of action, but unlike the CCPA and the subsequent CPRA, the private right of action is for any violation of the law (not restricted to data privacy breaches only).
New York state has another privacy law in waiting, the New York Privacy Act (NYPA) Senate Bill 5642, proposed in 2019, provides for:
- An even more expansive law than California's Consumer Privacy Act (CCPA), providing consumers with even greater control over their personal information, with more demanding compliance requirements for businesses.
- An opt-in process requiring the consumer to make—and the company to record—clear, affirmative consent to processing of personal data relating to the consumer.
- A fiduciary duty on controllers, data brokers, and every entity (or affiliate of any entity) that "collects, sells or licenses personal information of consumers."
- Requires consumers to "opt-in" to use their personal data concerning collection, processing, selling, or sharing personal data.
- Private Right of Action for consumers injured due to a violation of the law to pursue civil remedies.
- Recovery would be limited to injunctive relief and actual damages (unlike the CCPA, which allows statutory damages).
- No restrictions apply to personal data -- unlike the CCPA -- which restricts the private right of action to only certain personal information (an individual's name, social security, identification card number, credit or debit card or account number with code or password, or medical or health insurance information).
New York state's Department of Financial Services (NYDFS) Cybersecurity Regulation for financial institutions (23-NYCRR-500), final regulation effective March 1, 2017:
- It is "designed to promote the protection of customer information as well as the information technology systems of regulated entities."
- Requires each company to conduct a risk assessment and then implement a program with security controls for detecting and responding to cyber events.
- Like the EU General Data Protection Regulation (GDPR), the New York regulation has strict requirements for breach reporting, limiting data retention as well as basic principles of data security, risk assessments, documentation of security policies, and designating a chief information security officer (CISO) to be responsible for the program.
- Unlike the GDPR, the regulation has precise data security controls, including annual pen-testing and vulnerability scans.
- As with the GDPR, the law intends to protect sensitive consumer personally identifiable information (PII) that cyber thieves can use for identity theft or profitable sales on the dark web.
- Provides for a maximum civil monetary penalty of $1,000 per violation of the Regulation.
The EU GDPR
The GDPR blazed a trail for the rest of the world, including the US, imposing far-reaching regulations privacy and security regulations onto organizations anywhere, so long as they target or collect data related to people in the EU.
Notably, the law levies harsh fines against those who violate privacy and security standards, with penalties reaching tens of millions of euros.
Currently, the US does not have a central federal level privacy law, like the GDPR, which would preempt state laws. Several federal privacy bills are under consideration, including the Consumer Online Privacy Rights Act and the United States Consumer Data Privacy Act.
Where does this leave businesses trying to plan for unsettled, evolving privacy laws in the US?
We reached out to Debbie Reynolds, CEO and Chief Data Privacy Officer at Debbie Reynolds Consulting, LLC, to comment on US and EU privacy laws. Reynolds stated, "The US and the EU differ in the scale, scope, and reach of their respective Data Privacy regulations. The US has a patchwork of consumer-level, sector-specific Data Privacy laws at the federal, state, and local levels. The EU, with the GDPR, has a comprehensive Data Privacy framework for all its member states with human rights of individuals as the foundation."
Reynolds added: "In the US, it will be challenging for businesses to keep pace with the likely continued passing of state-level Data Privacy legislation until a federal data privacy law is enacted. A lack of Data Privacy cohesion has and will impact trade agreements and data movements around the world between the US and other countries."
Call to Action
Nation-wide or worldwide privacy compliance planning is expensive, which means that large enterprises could be more-prepared than the SMB sector due to budget constraints. Nevertheless, legal counsel and privacy experts are guiding entities of all sizes through the privacy minefield, one step at a time.
The new wave of privacy laws illustrates that consumer data privacy concerns remain top of mind while awaiting new federal legislation. Any business ignoring this wave does so at its peril because the costs are high. Ignorance is not bliss.
Stand-Alone Cyber Insurance
An investment in Stand-Alone Cyber Insurance is an investment in your survival after a cyber or privacy loss.
For example, some carriers offer cyber insurance coverage for:
- Data Security Breaches
First-party costs you suffer after a data breach include forensic investigations, notification to all those impacted, data recovery or restoration, public relations to maintain your brand, and third-party costs
Third-party costs include attorney's fees, court costs, and damages from a liability claim or lawsuit.
- Regulatory Fines & Penalties
Fines or penalties imposed by a government agency, insurable under applicable law, and paid to a government entity or a consumer redress fund.
- Double Extortion Ransomware Attacks
A combination of a ransomware attack, data exfiltration, and data disclosure)
- Ransom payment demands during a ransomware attack:
Ransom payments (often in cryptocurrency) agreed with the prior written approval of the insurance company.
Ransom negotiations by security experts with the hackers (regarding the ransom demand).
- Business interruption during a cyber event:
Lost net profits and extra expenses (including payroll) during a shutdown of your computer network or operations due to a ransomware attack (after a brief waiting period and during a restoration period).
- Data recovery or restoration:
Recovering or restoring lost programs, software, or data due to damage, disruption, theft, or misuse of your data during a cyber event.
- Incident response during a cyber incident:
Incident response planning.
Incident response team pre-selected from a panel of experts).
Cyber incident response costs incurred.
- Employee cyber risk awareness training:
Employee training focused on reducing the likelihood of human error by employees being tricked or manipulated into taking action that leads to a ransomware attack, data breach, or funds transfer fraud.
Investing in cybersecurity alone is not sufficient when it comes to privacy violations. The essential next step is investing in specific Stand-Alone Cyber Insurance to avoid catastrophic financial harm to your business.
- Businesses should prepare for this trend towards more stringent consumer data protection laws by adopting more robust cybersecurity protocols as part of their overall compliance program.
- Businesses subject to these new privacy laws need to work with their legal counsel to amend their privacy practices and procedures.
- A thorough review of your commercial insurance portfolio may reveal a deficiency in cyber coverage – thus lacking cyber risk assessments, incident response support, coverage for regulatory fines or penalties, and defense costs.
- Businesses that are subject to these new privacy laws should invest in a dedicated Stand-Alone Cyber Insurance policy that provides coverage for potential regulatory fines and penalties and supports your business before, during, and after a cyber event.
- Cyber Armada Insurance is here 24/7 to help you during the renewal season and beyond.
Reach out to Cyber Armada Insurance to assist you with your Stand-Alone Cyber Insurance needs. We understand the evolving cyber risks and privacy risks and the importance of your investment in appropriate cyber insurance.
Contact Cyber Armada today to explore how your company can solve potential financial losses from a cyberattack. Contact us at 888.727.6232.
Please watch for our upcoming articles on global privacy laws.